Dashboards & Visualizations

How to display the difference between two columns as a single value ,along with showing arrow of difference without using timechart?

KASKIRANA1122
New Member

I have this query
|inputlookup test | search Feed=win|stats dc(ServerName) as ExpectedCount|appendcols[ search index=win earliest=-1d@d latest=-0d@h
| stats dc(host) as Currentcount ]|eval delta=ExpectedCount-Currentcount

Now I want to display the current count as single value along with delta in red/green with arrow

Can you please help

Tags (1)
0 Karma

diptendu
New Member

how can the query be changed so that the xml need not be written, how to use the timechart command to dispaly the difference.

0 Karma

niketn
Legend

@KASKIRANA1122, what you are requesting seems to be a candidate for Splunk Status Indicator Custom Visualization.

Please see below a run anywhere dashboard which shows icon color based on Delta and also Current Value.

alt text

Following is the complete Simple XML:

<dashboard>
  <label>Single Value with delta icon and color</label>
  <search>
    <query>| makeresults
| fields - _time
| eval ExpectedCount=substr("".random(),0,4)
| appendcols [search index=_internal sourcetype=splunkd log_level!=INFO earliest=-1d@d latest=-0d@h
| stats count as Currentcount]
| eval delta=ExpectedCount-Currentcount</query>
    <sampleRatio>1</sampleRatio>
    <done>
      <condition match="$job.resultCount$==0">
        <set token="tokCurrentCount">0</set>
        <eval token="tokDelta">$result.delta$</eval>
      </condition>
      <condition>
        <set token="tokCurrentCount">$result.Currentcount$</set>
        <eval token="tokDelta">$result.delta$</eval>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <title>Current Value (Delta)</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>| makeresults
            | eval display="$tokCurrentCount$ ($tokDelta$)"
            | eval icon=if($tokDelta$>=0,"arrow-circle-o-up","arrow-circle-o-down")
            | eval color=if($tokDelta$>=0,"#65a637","#d93f3c")
            | table display icon color
          </query>
        </search>
        <option name="height">150</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...